b'       Office of Inspector General\n\n        U.S. Department of Labor\nOffice of Information Technology Audits\n\n\n\n\n    Strengthening OSHA\xe2\x80\x99s Software\n       Management Controls Can\n         Prevent Unauthorized\n       Software Use and Potential\n            Software Piracy\n\n\n\n\n            FINAL REPORT\n\n\n\n\n                    Report Number: 23\xe2\x80\x9302\xe2\x80\x93005\xe2\x80\x9310\xe2\x80\x93001\n                    Date Issued:   August 19, 2002\n\x0c                                            TABLE OF CONTENTS\n\nEXECUTIVE SUMMARY ...........................................................................................................1\n\nBACKGROUND ............................................................................................................................2\n\nOBJECTIVES, SCOPE, METHODOLOGY AND CRITERIA\n\n      Objectives.................................................................................................................................3\n\n      Scope.........................................................................................................................................3\n\n      Methodology ............................................................................................................................3\n\n      Criteria .....................................................................................................................................4\n\nFINDINGS AND RECOMMENDATIONS\n\n      I. Unauthorized Software Exists in OSHA ...........................................................................5\n\n     II. Ineffective Software Management Policies and Procedures...........................................6\n\n          A. OSHA Needs to Prepare an Authorized Software\n               Inventory List and Keep It Current .......................................................................6\n\n          B. Ineffective Controls Over Certification/Authorization Checklist Form .................7\n\n          C. OSHA Does Not Monitor Outdated Software Product Versions .............................8\n\nCONCLUSION ..............................................................................................................................9\n\nRECOMMENDATIONS.............................................................................................................10\n\nACRONYMS................................................................................................................................11\n\nGLOSSARY..................................................................................................................................12\n\nRECONCILIATION OF OSHA\xe2\x80\x99S AUTHORIZED SOFTWARE........................EXHIBIT A\n\nSOFTWARE APPLICATIONS THAT APPEARED\n   QUESTIONABLE BASED ON OIG ANALYSIS ...........................................EXHIBIT B\n\nOSHA\xe2\x80\x99S COMMENTS ON DRAFT REPORT................................................... APPENDIX A\n\x0c                             EXECUTIVE SUMMARY\n\nThe Office of Inspector General (OIG) conducted an audit to determine whether the\nOccupational Safety and Health Administration (OSHA) has proper procedures in place\nto ensure authorized computer software products are not used in violation of copyright\nlaws, and whether unauthorized software products exist on the agency\xe2\x80\x99s computers.\n\nDuring our audit, we scanned 166 randomly selected computers in OSHA\xe2\x80\x99s National,\nregional and area offices, and OSHA\xe2\x80\x99s Technical Center (laboratory) in\nSalt Lake City, Utah. We found 221 unauthorized software products, including 27\ndifferent computer games. We found no violations of copyright laws for authorized\nsoftware products.\n\nIn addition to the potential software piracy issue, the installation and use of unauthorized\nsoftware products creates other unnecessary risks for OSHA, such as the possible\nintroduction of computer viruses. The use of unauthorized software can also degrade\ncomputer functionality, as the unauthorized products consume memory and processing\ntime.\n\nInadequate software management policy and procedures contribute to the installation and\nuse of unauthorized software on agency computers. For example, OSHA does not\nconduct periodic software inventories and, as a result, cannot maintain a complete and\naccurate listing of unauthorized software.\n\nTo improve agency software management and prevent the installation of unauthorized\nsoftware products, we recommend that the Assistant Secretary for Occupational Safety\nand Health:\n\n1.     Remove all unauthorized software applications and games identified by our audit,\n       including older version, software products. Legally purchased older software\n       products should be removed from individual workstations and stored in a safe\n       location.\n\n2.     Develop and perform a periodic (at least once per year) software inventory and\n       use this inventory to maintain an updated list of all OSHA authorized software.\n\n3.     Revise and update OSHA Directive PRO 3.5 dated June 9, 1993, to include\n       current hardware and software standards and establish procedures on the\n       monitoring of information technology (IT) assets including a review of IT\n       Acquisition forms and license agreements.\n\n                                 ----       ----        ----\n\nBased on OSHA\xe2\x80\x99s response to the draft report, and the planned corrective actions, the\nOIG has resolved all of the above recommendations. OSHA agreed to take steps for the\npurpose of addressing and resolving OIG\xe2\x80\x99s recommendations (Appendix A). However,\n\n\n                                            1\n\x0cOSHA has taken exception to the Webshots purchase example used by OIG in the draft\nreport. OSHA does not discourage the use of screen savers, and OSHA believes the\ndiscussion of the Webshots purchase was unnecessary since it went beyond the stated\nscope of the audit. While the OIG acknowledges OSHA\xe2\x80\x99s request to delete the\ndiscussion of the Webshots purchase, the OIG does not view the information as\nextraneous to the audit report.\n\n                                  BACKGROUND\n\nSoftware piracy occurs whenever a software program is downloaded and installed, run, or\ncopied without a proper license from the software manufacturer.\n\nSoftware vendors attempt to control the unauthorized use of their products through\nlicense agreement provisions. Federal copyright statutes protect the license agreements.\nThe specific license agreement for each software product is explained in documentation\naccompanying the system installation and program diskettes. License agreements specify\nthat each software program purchased be used on one computer at a time, at a site, or on a\nLocal Area Network (LAN).\n\nOne way in which software piracy can occur is if Department of Labor (DOL) employees\nbring software applications from home or by downloading it from the Internet. In order\nfor DOL agencies to control and prevent software piracy, there must be a process in place\nfor identifying what the agency owns and what is allowed to be installed on government\ncomputers. EO 13103 encourages government agencies to prepare software inventories\nand determine which software products they are authorized to use.\n\nThe OSHA nationwide network, the OSHANET, provides employees with IT resources\nto help them effectively perform their OSHA duties and responsibilities. The OSHANET\nencompasses user workstations, servers, network devices, software, and data\ncommunications equipment. OSHA\xe2\x80\x99s Directorate of Information Technology is\nresponsible for the management and administration of the OSHANET.\n\n\n\n\n                                          2\n\x0c      OBJECTIVES, SCOPE, METHODOLOGY AND CRITERIA\n\nOBJECTIVES\n\nThe objectives were to determine whether OSHA has the proper controls and procedures\nin place to ensure computer software products are not used in violation of copyright laws,\nand whether unauthorized software exists on the agency\xe2\x80\x99s computers.\n\nSCOPE\n\nThe audit was conducted in OSHA\xe2\x80\x99s National Office and Technical Center in Salt Lake\nCity, Utah, and selected regional and area offices.\n\nWe scanned a total of 166 workstations, which included 104 in the National Office and\n62 in OSHA regional and area offices in Chicago, Dallas, Philadelphia, San Francisco,\nand OSHA\xe2\x80\x99s Technical Center in Utah. Computers in the National Office, regional\noffices, area offices, and the Technical Center were selected for testing based on a\nrandom sample.\n\nThe audit was conducted during the period of May 30, 2001 through March 15, 2002. An\nexit conference was held on March 18, 2002.\n\nMETHODOLOGY\n\nThe audit was conducted in accordance with Government Auditing Standards (GAS)\nissued by the Comptroller General of the United States.\n\nOIG used a software tool developed by Attest System, Inc., titled Gottlieb & Associates\nSearch Program (GASP 5.2) to test OSHA\xe2\x80\x99s computers. Using this tool, OIG performed\na scan of 166 workstations in OSHA to detect whether unauthorized software was\ninstalled on the computers. Specifically, we scanned a total of 104 workstations in the\nNational Office and 62 workstations throughout various regional and area offices to\ndetermine whether any appeared unusual or suspect. The audit software was loaded on\nthe computer by inserting the audit disk in the computer\xe2\x80\x99s floppy drive. As the program\nis executed, it searches for all files containing programmed instructions associated with\nsoftware applications. The reporting module of GASP comes with a Software\nIdentification Database (SID), which allows it to identify which applications were found,\nand its related information such as publisher, version and title. Upon completion of the\nscanning process, analyses were performed to identify unauthorized software products.\n\nWe requested a list of authorized software and supporting documentation from OSHA in\nan attempt to create a software profile. OSHA\xe2\x80\x99s list of 18 software titles, however, was\nnot detailed or comprehensive enough to allow scanning using the GASP profiling\nfeature. As a result, we were not able to generate exception reports for software products\nnot matching the profiled information. Our procedure, instead, consisted of scanning\nindividual workstation computer \xe2\x80\x9cC\xe2\x80\x9d drives to capture all software products contained in\n\n\n                                          3\n\x0ceach individual workstation computer. This resulted in extending the audit\xe2\x80\x99s period of\nperformance.\n\nA list of software products found to be unusual by OIG was submitted to OSHA for its\nreview and determination as to whether the software was authorized for use in the agency\nand whether accompanying documentation (i.e., license agreements, purchase orders,\nrequisitions, and approval forms) existed. OSHA\xe2\x80\x99s review resulted in its providing us\nwith additional documentation that increased the original list of authorized software\nproducts from 18 to 145, an increase of 127 products.\n\nThe additional 127 software products, with the accompanying documentation, were\nreviewed by OIG to determine whether the additional software products corresponded to\nOIG\xe2\x80\x99s list of software identified as unusual (Exhibit A).\n\nIn establishing audit results, a distinction is made between copies of software and number\nof software packages. The number of copies found for the games in OSHA is the total\noccurrences of games found, i.e. the same game may be counted more than once as it\nappears on more than one computer. The number of software packages only counts a\nparticular application once (per geographical location) regardless of how many times it\nwas found on different computers (Exhibit B). OIG does have the information available\nshould OSHA need to know specifically how many copies were found for each software\napplication. However, for the purpose of presenting the results in Exhibit B, OIG does\nnot show the number of copies found.\n\nIn addition to scanning, our assessment was limited to policies and procedures covering\ninternal controls relative to copyright/licensing requirements and software authorized for\nuse on individual workstations.\n\nCRITERIA\n\nWe used as criteria for this audit the U.S.C. Title 17, Chapter 5, Copyright Law\nInfringement and Remedies; Executive Order (EO) 13103, Computer Software Piracy;\nthe Department of Labor Manual Series (DLMS-9) Chapter 1200, Microcomputer and\nLAN Management ; OSHA Directive (PRO 3.5) \xe2\x80\x93 End-User Computer (EUC) Policy; and\nOSHA Directive (ADM 1-0.19) OSHANET Acceptable Usage Policy.\n\nU.S.C., Title 17, section 504 (as limited by 28 U.S.C. 1498 (b)) states that a civil action\nmay be instituted against the Federal Government for actual damages.\n\nEO 13103 relating to computer software piracy states that it shall be the policy of the\nUnited States Government to work diligently to prevent and combat computer software\npiracy to prevent the violation of applicable copyright laws.\n\nOSHA Directive PRO 3.5 establishes policy, guidelines, standards and procedures, and\nassigns roles and responsibilities for the acquisition of End-User Computer (EUC)\n\n\n\n\n                                            4\n\x0cresources including stand-alone workstations, laptop comp uters, and associated software\nand peripherals for amounts not exceeding $2,500.\n\nOSHA Directive ADM 1-0.19 OSHANET, Acceptable Usage Policy, describes and sets\nforth guidelines for use of OSHANET and any of its resources. Software products not\nproperly licensed and authorized for use by OSHA should not be installed or run on any\nOSHANET workstation or server according to OSHA policy.\n\n                  FINDINGS AND RECOMMENDATIONS\n\nOIG found that unauthorized software products and copies of games reside on OSHA\xe2\x80\x99s\ncomputers, and that OSHA needs to strengthen controls over software management\npolicies and procedures.\n\nI. UNAUTHORIZED SOFTWARE EXISTS IN OSHA\n\nDuring our audit, we scanned 104 workstations in the National Office and 62\nworkstations in vario us regional and area offices, and OSHA\xe2\x80\x99s Technical Center in Salt\nLake City, Utah. Our analysis of the results of these computer scans identified the\nfollowing unauthorized software products:\n\nApplications\n\n\xe2\x80\x98 194 software applications were determined to be unauthorized based on the\n  information provided by OSHA (Exhibit A) after review of 203 questionable software\n  applications (Exhibit B);\n\nGames\n\n\xe2\x80\x98 136 copies of 19 different Microsoft Corporation software games were found on\n  workstations; and\n\n\xe2\x80\x98 30 copies of 8 different software games by various software publishers other than\n  Microsoft Corporation were found on workstations.\n\nOSHA DIT stated that, in accordance with OSHA\xe2\x80\x99s policy, games should not be installed\non workstations. OSHA stated that games were allowed in the past for users to practice\nmouse and cursor movement, but remarked that OSHA has not gone back to disable the\noperating system option that gives the users access to this function.\n\nOSHA Directive, ADM 1-0.19 \xe2\x80\x93 OSHANET Acceptable Usage Policy, Chapter X \xe2\x80\x93\nparagraph B, items 4 and 11 state that playing games and loading unauthorized or\npersonal software is considered non-acceptable personal use.\n\nThe use of unauthorized software creates unnecessary risks for the agency. In addition to\nthe potentia l software piracy issue, the use of unauthorized software can lead to the\n\n\n                                          5\n\x0cintroduction of viruses, and degradation of computer functionality, as memory and\ncomputer processing are allocated to users of unauthorized software.\n\nII. INEFFECTIVE SOFTWARE MANAGEMENT POLICIES AND\n    PROCEDURES\n\nOIG found key areas that can improve OSHA\xe2\x80\x99s ability to manage agency software.\nThese areas include taking a periodic software inventory, establishing an effective\nmechanism for the certification and authorization of software, and monitoring and\nreplacing versions of software products as software updates are introduced.\n\nA. OSHA Needs to Prepare an Authorized Software Inventory List and Keep It\n   Current\n\nThe OIG identified 203 questionable software products on OSHA\xe2\x80\x99s computers as a result\nof scanning. OIG then requested confirmation from OSHA on the legitimacy of the 203\nspecific questionable (potentially unauthorized) software applications.\n\nSince OSHA does not have a software inventory, OSHA was not able to directly address\nOIG\xe2\x80\x99s list of 203 software applications. Instead, OSHA chose to use supporting\ndocumentation from all previously authorized software covering its National, regional\nand area offices, and provided this information to OIG. OIG used this information in its\nanalysis of OSHA approved software in lieu of an agency software inventory.\n\nEO 13103 relating to computer software piracy states that:\n\n       Each agency shall establish procedures to ensure that the agency has present on its\n       computers and uses only computer software not in violation of applicable\n       copyright laws. These procedures may include:\n\n               A. Preparing agency inventories of the software present on its\n                  computers.\n\n               B. Determining what computer software the agency has the\n                  authorization to use.\n\nIn addition, OSHA\xe2\x80\x99s own EUC policy (PRO 3.5) states \xe2\x80\x9cFederal regulations and\nDepartmental policy require OSHA to maintain an accurate inventory of all information\ntechnology acquisitions.\xe2\x80\x9d It states that those acquisitions \xe2\x80\x9cinclude freeware and\nshareware\xe2\x80\x9d and that the Office of Management Data Systems (OMDS) is responsible for\nmaintaining OSHA\xe2\x80\x99s information technology inventory.\n\nBy not having a complete, up-to-date inventory, OSHA does not know what is installed\non its computers and is unable to ensure computer software products are used in\naccordance with software copyright laws, licenses, and agency standards.\n\n\n\n\n                                          6\n\x0cB. Ineffective Controls Over Certification/Authorization Checklist Form\n\nDuring the audit, OSHA provided documentation supporting legal ownership of its\nsoftware products. OIG noticed that the forms used to authorize and certify the\nacquisition of EUC resources not exceeding $2,500 were not always signed, and lacked\nappropriate information for the purpose of justifying related acquisitions.\n\n1. Forms not always signed\n\nOSHA uses a Certification/Authorization Checklist Form that is used to identify the need\nand justification for acquiring software. The use of this form appears to be inconsistent\nand not serving the purpose intended by OSHA\xe2\x80\x99s policy.\n\nThe form is to be approved by the appropriate Directorate Head in the National Office,\nand should be approved by the Regional Administrators for area, district, and regional\noffices. OIG observed, however, the forms are not always signed. For example, all\nsignature lines are left blank on some forms, and only the area office official signed\nothers.\n\nOSHA\xe2\x80\x99s policy (PRO 3.5 \xe2\x80\x93 End-User Computer \xe2\x80\x93EUC Policy) states that:\n\n       EUC requests are to be submitted by Area, District, and Regional\n       Office managers to the appropriate Regional Administrator for review,\n       approval and processing.\n\nAn unsigned Certification/Authorization form indicates that a request for a particular\nsoftware application has not been properly authorized, and that OSHA is not\nimplementing internal controls consistently.\n\n2. Insufficient justification\n\nThe Certification/Authorization Checklist Form does not clearly justify software\napplication needs. The \xe2\x80\x9cJustification\xe2\x80\x9d section of the form is a blank that is to be filled in\nby a one word description of the reason why the software is necessary and required. In\none case, OIG observed that one software application authorized through the use of this\nform was Webshots by The Webshots Corporation. The justification for this software\nbeing required to benefit the agency is that it is necessary to \xe2\x80\x9cperform screensavers.\xe2\x80\x9d\nWebshots allows individuals to customize screensavers, wallpaper and electronic\npostcards, as well as download photos in Webshots photo albums. The purchase of\nscreensavers would not be required as this function is available through the Windows\ndesktop properties.\n\nOIG also found there are potential threats associated with applications such as Webshots.\nWebshots was downloaded on one of OIG\xe2\x80\x99s computers for test purposes. After removing\nthe application, we noticed problems with our system. For example, launching the web\nbrowser automatically opened the Webshots company website as opposed to the normal\n\n\n\n                                            7\n\x0cOIG homepage. Further, the operating system Internet options settings were disabled\npreventing the user to reset the normal default. The problem required the intervention of\nOIG\xe2\x80\x99s computer assistance division to fix the problem.\n\nOSHA\xe2\x80\x99s policy (PRO 3.5 \xe2\x80\x93 End-User Computer \xe2\x80\x93EUC Policy) establishes identification\nof needs and justification criteria by stating that:\n\n       Decisions to acquire new EUC resources (smaller than $2,500) shall\n       be based upon individual, workgroup and program needs, established\n       priorities and existing resources. Furthermore, needs shall be\n       presented in the form of a written justification that is based on\n       increased efficiency, improved effectiveness, or innovation. The same\n       criteria are followed for freeware and shareware.\n\nWithout having sufficient information to make a decision on whether to approve a\nparticular application, the approving official may be certifying software that is not\nnecessary for the benefit of the agency. For example, the one word description used for\nstating the reason for acquiring Webshots was not enough for OSHA to properly assess\nthe necessity of this application. The approving official would need more details on the\nfunctionality, features, utility, and nature of this software.\n\nC. OSHA Does Not Monitor Outdated Software Product Versions\n\nThe original list of authorized software applications given to OIG auditors was composed\nof version specific applications. However, our audit showed that some software\napplications installed on OSHA\xe2\x80\x99s computers included various versions of the same\napplication. The following example illustrates this point:\n\n\xe2\x80\x98 OIG found 5 copies of WordPerfect for DOS 5.1 on 4 computers in the National\n  Office, i.e., one computer had 2 copies of WordPerfect for DOS 5.1.\n\n\xe2\x80\x98 OSHA\xe2\x80\x99s original authorized list of software application included WordPerfect 8.0 as\n  the authorized version. We expected we would find WordPerfect 8.0 to be the\n  standard word processing software installed on OSHA computers. However, we\n  found WordPerfect versions DOS 5.1, 6.1c, 7.0.1a, and 8.0.\n\nOSHA\xe2\x80\x99s Directive (PRO 3.5) includes a section on Compatibility and Connectivity\nStandards and Guidelines. In this section, it is stated \xe2\x80\x9c. . . to bring OSHA into\ncompliance with Federal regulations and the Department \xe2\x80\x98ITA-2000\xe2\x80\x99 initiative, the\nAgency has established three basic categories of EUC resources.\xe2\x80\x9d\n\n\xe2\x80\x9cOSHA Standard EUC Resources\xe2\x80\x9d outlines what software products are authorized for use\nin OSHA. OSHA\xe2\x80\x99s standard software includes a list of version specific software\nproducts, such as WordPerfect 5.1, and Lotus 1-2-3 Version 3.1. OIG observed that\nOSHA\xe2\x80\x99s computers contained multiple versions of various software products (as\nidentified on Exhibit B). OSHA does not appear to be following its own policy. This\n\n\n\n                                          8\n\x0cdirective and standards contained within, however, are old and outdated, i.e., OSHA\nDirective PRO 3.5 is dated June 9, 1993.\n\nUniformity and software version control are important when implementing standards in\norder for users to be able to seamlessly exchange data. For example, OSHA maintains\nWordPerfect DOS 5.1 but the agency\xe2\x80\x99s standard is WordPerfect 8.0. Also, some\nsoftware products that are available as shareware, for instance, specifically state that the\npublisher does not have an obligation to support previous (older) versions of its products.\nFor example, the Acrobat Reader\xe2\x80\x99s licensing agreement states the following:\n\n       If the Software is an Update to a previous version . . . you may\n       continue to use the previous version of the Software on your computer\n       after you receive the Update to assist you in the transition to the\n       Update, provided that . . . you acknowledge that any obligation Adobe\n       may have to support the previous version of the Software may be\n       ended upon availability of the Update.\n\nOSHA has expressed concern over the need to remove older software applications.\nOSHA believes its decision to support the older applications is acceptable since the\nagency legally purchased the software.\n\nIf OSHA legally purchased software, which is currently outdated and not part of the\nstandards, it would be best to remove the software from individual workstations and store\nthe program disk(s) in a safe location. The applications can be accessed and installed\ntemporarily should OSHA have a need for this application that cannot be met by newer\nauthorized standard versions. In addition, having everyone using the latest version of a\nsoftware product prevents potential problems associated with technical support of\noutdated versions.\n\n                                    CONCLUSION\nOur audit found that unauthorized software products exist in OSHA and ineffective\nsoftware management policies and procedures that need to be revised to include new\nhardware and software standards as well as proper inventory procedures.\n\nOSHA will benefit from strengthening its software management controls by ensuring the\nprevention of unauthorized software use and potential software piracy. OSHA has\nrecognized this benefit by stating it is committed to follow OIG recommendations in\norder to improve software management.\n\n\n\n\n                                           9\n\x0c                            RECOMMENDATIONS\n\nWe recommend the OSHA\xe2\x80\x99s Assistant Secretary take the following corrective measures\nto improve the agency\xe2\x80\x99s software management:\n\n1.     Remove all unauthorized software applications and games identified by our audit,\n       including older version, software products. Legally purchased older software\n       products should be removed from individual workstations and stored in a safe\n       location.\n\n2.     Develop and perform a periodic (at least once per year) software inventory and\n       use this inventory to maintain an updated list of all OSHA authorized software.\n\n3.     Revise and update OSHA Directive PRO 3.5 dated June 9, 1993, to include\n       current hardware and software standards and establish procedures on the\n       monitoring of IT assets including a review of IT Acquisition forms and license\n       agreements.\n\nManagement Comments\n\nOSHA\xe2\x80\x99s Assistant Secretary provided comments in reference to the above\nrecommendations on July 15, 2002. OSHA has taken exception to the Webshots\npurchase example used by OIG in the draft report. OSHA does not discourage the use of\nscreen savers, and OSHA believes the discussion of the Webshots purchase was\nunnecessary since it went beyond the stated scope of the audit. While the OIG\nacknowledges OSHA\xe2\x80\x99s request to delete the discussion of the Webshots purchase, the\nOIG does not view the information as extraneous to the audit report. OSHA\xe2\x80\x99s comments\nhave been included as part of this report in Appendix A.\n\nOIG Response\n\nAlthough OSHA disagrees with OIG about the issues concerning older version software\nproducts and screensavers, the OIG has resolved all of the above recommendations based\nupon OSHA\xe2\x80\x99s planned corrective actions, and will continue to work closely with OSHA\nto bring each to closure.\n\n\n\n\n                                         10\n\x0c                 ACRONYMS\n\nADM        Administrative Directive\n\nCIO        Chief Information Officer\n\nDIT        Directorate of Information Technology\n\nDLMS       Department of Labor Manual Series\n\nDOL        U. S. Department of Labor\n\nDOS        Disk Operating System\n\nEO         Executive Order\n\nEUC        End User Computer\n\nGAS        Government Auditing Standards\n\nGASP       Gottlieb & Associates Search Program\n\nIT         Information Technology\n\nITA-2000   Information Technology Architecture - 2000\n\nLAN        Local Area Network\n\nOIG        Office of Inspector General\n\nOMDS       Office of Management Data Systems\n\nOSHA       Occupational Safety and Health Administration\n\nOSHANET    Occupational Safety and Health Administration Network\n\nPRO        Procedure Directive\n\nSID        Software Identification Database\n\nU.S.C.     United States Code\n\n\n\n\n                      11\n\x0c                                    GLOSSARY\n\nCopyright :\n\n                     Form of statutory protection, which allows its owner the exclusive\n                     right to cont rol, among other things, the copying, distribution and\n                     preparation of derivative works of authored materials.\n                     International treaties and laws in most countries provide for\n                     protection of software under copyright provisions.\n\nSoftware license agreement :\n\n                     Legal agreement between a software user (the licensee) and the\n                     software developer that sets the terms and conditions under which\n                     the software and its accompanying materials may be used.\n\nTypes of licensing agreements:\n\n                     Stand-alone licenses are commonly used to describe two types of\n                     licensing arrangements: a machine license that restricts use to a\n                     particular computer, and a single- user license that restricts use to\n                     an individual.\n\n                     Site licenses (also referred to as building licenses) permit the\n                     licensee to make as many copies as needed, provided they are used\n                     at just one site or building.\n\n                     District licenses allow the licensee to put multiple copies of the\n                     software on personal computers located in offices throughout the\n                     organization. In some instances, the licensee must specify the sites\n                     or offices where the software will be used.\n\n                     Network licenses (also referred to as file-server licenses) permit\n                     the licensee to install the software on a file server. In some cases,\n                     the licensee may restrict the numbers or location of computers on\n                     the local area network.\n\n                     Volume licenses allow the licensee to have a specific number of\n                     users within either an office site or an entire organization. This\n                     number is often based on average daily attendance.\n\n\n\n\n                                         12\n\x0c\x0c\x0c\x0c\x0c'